search for: forgery

Displaying 20 results from an estimated 74 matches for "forgery".

2009 Jun 09
3
protect_from_forgery doesnt protect from forgery
Maybe I am grasping the full usage of this protect_from_forgery function, but it does not seem to work for me. Imagine the following: A simple website with a user that needs to log in to do certain stuff and a closed off admin section that only certain users can access that have the is_admin field set to true. So to be clear, my User model has a login, passwo...
2008 May 08
1
disabling forgery protection
Hi, I have to enable batch uploads to my website with CURL and forgery protection in ApplicationController is standing in my way. I do use the restful authentication plugin and I do call login_required on all actions. Should I keep forgery protection around? Forgery protection only makes sure that the client request has originated from client''s session, righ...
2010 Jul 19
0
Protect from forgery for Rest destroy action ???
Hi !! I''m reading the rails guides about security, i had a question about the forgery protection If we consider a standard Restful resource ( generated with scaffold for example ), the update and create actions are protected from forgery attacks thanks to the authenticity token, but what about the destroy method ?? <a href="/posts/2" data-method=&quot...
2008 Aug 21
4
forgery Protection
...ms/1.8/gems/actionpack-2.1.0/lib/action_controller/benchmarking.rb:68:in `perform_action_without_rescue'' /home/dara/apps/ruby-1.8.6/lib/ruby/1.8/benchmark.rb:293:in `measure'' I don''t have the secret commented in the environment either. Should I be trying to disable forgery protection for certain calls from facebook/bebo ? Cheers
2008 Aug 25
1
Catch forgery errors
Hi all, I am using ajax for some request but when the user session expire, I get a ActionController::InvalidAuthenticityToke error. Do you know how I could trap this error and redirect to the login panel ? -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails:
2005 May 12
1
Cross-site Request Forgery
Hi all, I stuck a little bit of information on CSRF on the wiki (http://wiki.rubyonrails.com/rails/show/HowToAvoidCrossSiteRequestForgery) and created a "Security Concerns" page from the home page (http://wiki.rubyonrails.com/rails/show/Security+Concerns) - it would be good to have a single point of information for all know security holes and fixes (even if they aren''t Rails specific). Ideally information on CSRF s...
2009 May 05
3
Unable to deactivate forgery protection
Hi, I just created a new Rails app that will be receiving some POSTed data from the outside so it must skip the verify_authenticity_token for some create actions. Although I have added: skip_before_filter :verifiy_authenticity_token I still get InvalidAuthenticityToken. In one of my other Rails app (created back in Rails 1.2.6 and updated to 2.3.2 over time) this skipping works perfectly though,
2006 Aug 02
0
How to counter Cross Site Request Forgery?
Hi, We would like to create a unique string when a user logs in and pass the string between actions. Each user can compare the incoming string with the one stored in the session to assert whether the request is coming from within the application or from a malicious external source. What mechanism can we use to pass this string around? Passing as params to the actions ,may not be an option as
2010 Jul 08
2
rspec-rails how to selectively turn on csrf protection for controller specs?
...create action to not use rails'' default CSRF protection. I''ve got that working fine & test it actually works with cucumber (where I''ve turned CSRF back on, since it''s full-stack testing) but would like my controller spec to mention the need for protect_from_forgery :except => [:create] (and fail when it''s not set). I''ve not had any luck with telling the controller or ActionController::Base to use forgery protection in the spec and am a bit stuck. Has anyone done this before, or do any of these look possible: * reload the rails app for...
2013 Mar 24
6
forgery protection for multiple browser tabs
Hi, http://apidock.com/rails/ActionController/RequestForgeryProtection only maintains one CSRF token at a time. When a user visits some site, he gets a new token in the session. He then might open a linked site of the same rails app in a new browser tab (maybe some info he''d like to read), and again he will get a new token. Then he changes to th...
2011 Jul 26
1
[Announce] Samba 3.5.10, 3.4.14 and 3.3.16 Security Releases Available
Release Announcements ===================== Samba 3.5.10, 3.4.14 and 3.3.16 are security releases in order to address CVE-2011-2522 (Cross-Site Request Forgery in SWAT) and CVE-2011-2694 (Cross-Site Scripting vulnerability in SWAT). o CVE-2011-2522: The Samba Web Administration Tool (SWAT) in Samba versions 3.0.x to 3.5.9 are affected by a cross-site request forgery. o CVE-2011-2694: The Samba Web Administration Tool (SWAT) in Samba version...
2011 Jul 26
1
[Announce] Samba 3.5.10, 3.4.14 and 3.3.16 Security Releases Available
Release Announcements ===================== Samba 3.5.10, 3.4.14 and 3.3.16 are security releases in order to address CVE-2011-2522 (Cross-Site Request Forgery in SWAT) and CVE-2011-2694 (Cross-Site Scripting vulnerability in SWAT). o CVE-2011-2522: The Samba Web Administration Tool (SWAT) in Samba versions 3.0.x to 3.5.9 are affected by a cross-site request forgery. o CVE-2011-2694: The Samba Web Administration Tool (SWAT) in Samba version...
2008 Sep 02
4
Rescue rails errors
...tion: ActionController::InvalidAuthenticityToken in ManageController#site_servers ActionController::InvalidAuthenticityToken I tried to put the code in manage controller between begin ... rescue ... end but it didn''t catch the error. So I tried in the application.rb controller, I put the forgery code between begin ... rescue ... end, but it didn''t work neither. How could I trap this error ? -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails:...
2008 Dec 22
0
FreeBSD Security Advisory FreeBSD-SA-08:12.ftpd
...GNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-08:12.ftpd Security Advisory The FreeBSD Project Topic: Cross-site request forgery in ftpd(8) Category: core Module: ftpd Announced: 2008-12-23 Credits: Maksymilian Arciemowicz Affects: All supported versions of FreeBSD. Corrected: 2008-12-23 01:23:09 UTC (RELENG_7, 7.1-PRERELEASE) 2008-12-23 01:23:09 UTC (RELENG_7_1, 7.1-RC2...
2009 Mar 12
5
InvalidAuthenticityToken from home page
I''m trying to create a log in in index.html, but I keep getting an error about InvalidAuthenticityToken. I understand this is something that RoR puts in the forms, and it changes regularly. The problem is that the home page in the public folder is html, and therefore static. has anyone else put a log in on their home page? -- Posted via http://www.ruby-forum.com/.
2004 Aug 06
0
Re: mail bounces
...est is broken if running a private ftp server is enough to get you on the list. More collateral damage in the email wars. I've requested a retest, which should get us off the list. > and of less importance, but to raise awareness to those of you who > aren't aware of SPF (SMTP Anti-Forgery - http://spf.pobox.com) xiph > isn't publishing SPF records, which I would advise perhaps looking in > to. Sometimes forgery is useful. Otherwise it's a nice idea. -r -- Ralph Giles Xiph.org sysadmin --- >8 ---- List archives: http://www.xiph.org/archives/ Ogg project homepag...
2019 Jul 17
0
pigeonhole question: filtering on delivered-to in case of fetchmail
...t used fetch mail in many many years, so I can?t answer anything specifically about it, but if you use it to allow external senders to send mail via your system in a way that is not authenticated then you should not do that. I do NOT allow email claiming to be from my domains. The problem is "forgery" of Reply-To headers. It isn't really forgery as far as I know there is now method to check this anywhere. People are allowed to put what they want there. The setups in question do NOT allow unauthenticated submission with a FROM from the internal domain. I have erased the email in questi...
2008 Jun 06
2
422/InvalidAuthenticityToken with fb_request_form
All, I''m using the ActiveRecord store for sessions and have gotten form submissions to work, but I can''t get the fb:request-form that''s generated by fb_request_form to work, it doesn''t seem to add hidden fields for the token. Should it? Can it even (add extra fields to the fb:request-form)? My view: <% content_for("challenge_content") do %>
2008 Apr 04
4
Auto Complete Problems
Hello All, I''m a RoR newbiew, trying to experiment with Autocomplete, but I''m having some difficulties. When I start typing in my input box, instead of getting a nice drop down, the styling on my page is getting all out of wack (ie my background colours change, link styling changes, etc) and I''m not seeing any autcompletion data. Here are the steps I''ve taken
2019 Jul 16
3
pigeonhole question: filtering on delivered-to in case of fetchmail
So, one of the problems I am seeing is that people are trying to fake users into revealing information by sending from an outside domain but with an internal reply to address and claiming to be administration, IT or what not. I can set up something that will reject if from is outside the domain by reply to is internal. The problem is in some setups, there are fetchmail setups. I do not want to